SHAREDASSESSMENTSThe Trusted Source in Third Party Risk Management
GDPR: Data Processor Privacy Tool Kit – Appendix: Shared Assessments Standardized Control Assessment (SCA) Privacy Assessment Reporting Template
BUILDING GDPR BEST PRACTICES
DATA PROCESSOR
PRIVACY TOOL KIT
Standardized Privacy
Questions and Mapping
Target Data Tracker
Template
Privacy Assessment
Report Template
Contract Privacy
Considerations
Privacy Testing
Procedures
Privacy Artifacts Checklist
© 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved.
GDPR: Data Processor Privacy Tool Kit - Version 1.0: Appendix - 2018 SCA Privacy Report Template 1 of 19
2018 SHARED ASSESSMENTS STANDARDIZED CONTROL ASSESSMENT (SCA) REPORT TEMPLATE
An SCA Companion Tool for Data Capture and Reporting Third Party Control Validation Including Cybersecurity, Information Technology, Privacy, Cloud,
Data Security and Business Resiliency
Note: This GDPR Tool Kit Version Contains Only the Privacy Section of the SCA Report Template
© 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved.
GDPR: Data Processor Privacy Tool Kit - Version 1.0: Appendix - 2018 SCA Privacy Report Template 2 of 19
© 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved.
Documents created under the Shared Assessments Program may be downloaded from the official Shared Assessments Program website at:
www.sharedassessments.org.
While retaining copyrights, the Shared Assessments Program makes specific documents available to members and purchasers for the purpose of conducting self-
assessments and third party control assessments. Licenses for other uses are available from Shared Assessments. Individuals and organizations should review the
terms of use prior to downloading, copying, using or modifying Shared Assessment Program documents.
This notice must be included on any copy of the Shared Assessments Program documents, excluding assessors’ or consultants’ reports.
The Shared Assessments Program is administered by The Santa Fe Group (www.santa-fe-group.com). Questions about this document and the program should be
directed to: mailto:[email protected].
© 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved.
GDPR: Data Processor Privacy Tool Kit - Version 1.0: Appendix - 2018 SCA Privacy Report Template 3 of 19
Introduction 4
P. Privacy 6
P.1 Privacy Program Management ........................................................................................................................................................................................................... 6
P.2 Privacy Organization & Program Maintenance ................................................................................................................................................................................ 7
P.3 Privacy Awareness .............................................................................................................................................................................................................................. 9
P.4 Privacy Risk Assessments ............................................................................................................................................................................................................... 10
P.5 Privacy Notice, Choice & Consent ................................................................................................................................................................................................... 10
P.6 Web Site Compliance ......................................................................................................................................................................................................................... 12
P.7 Management of Client-Scoped Privacy Data .................................................................................................................................................................................. 13
P.8 Data Protection, Privacy Incident Notification and Response Management .............................................................................................................................. 15
P.9 Third Party Privacy Agreements ...................................................................................................................................................................................................... 16
P.10 Authorizations, Monitoring & Enforcement .................................................................................................................................................................................. 17
© 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved.
GDPR: Data Processor Privacy Tool Kit - Version 1.0: Appendix - 2018 SCA Privacy Report Template 4 of 19
Introduction
This companion document to the SCA, the SCA Report Template, provides a standardized approach to collecting and reporting onsite control assessment results. The
template allows for a mechanism to track “compensating items” and is a tool for organizations that do not have a proprietary enterprise risk platform in place to
manage onsite assessments results and reporting. Alongside testing for the specific controls identified in the SCA, the SCA Report Template allows an assessor to
include any additional mitigating controls (and accompanying documentation) believed to be relevant to providing a sound control requirement. Of note for the 2018
Tool Release, is that the Agreed Upon Procedures (AUP) Tool has been renamed to the Standardized Control Assessment (SCA) procedures. This was done to
better communicate the function of the SCA and to align its name with the Standardized Information Gathering (SIG) questionnaire. In 2018, these two Shared
Assessments Program Tools have been even more tightly aligned and designed to be used together. The name change also will help eliminate possible confusion
with AICPA - “Agreed Upon Procedures” (AUP) - Attestation Engagements.
Note: Additional information regarding the SCA and SCA Report Template is available at www.sharedassessments.org.
Organizational Background
Scope
Scoping statement from the service provider to include company name, locations, systems, services, products, etc. to be included in this assessment. Determining
scope is a critical step in executing the SCA. Scope to be determined based on the general controls of the technology, systems and processes that are common to
any or all clients. Client specific contractual requirements should not be included in the scope of this assessment, as the SCA is designed to be distributed to any
client who requests it, similar to how a company would determine the controls to be tested in a SSAE16/18.
© 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved.
GDPR: Data Processor Privacy Tool Kit - Version 1.0: Appendix - 2018 SCA Privacy Report Template 5 of 19
THIS PAGE LEFT BLANK INTENTIONALLY
ASSESSMENT FIRM AND/OR ORGANIZATION TO PROVIDE COVER LETTER
© 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved.
GDPR: Data Processor Privacy Tool Kit - Version 1.0: Appendix - 2018 SCA Privacy Report Template 6 of 19
P. Privacy
Domain Objective:
Organizations should establish and maintain a privacy program and management framework to control and manage the protection of client-scoped privacy data and
client confidential information, including any classification of non-public personal information or personal data of individuals. This should include the overall
management of client-scoped privacy data, and confidential information within the organization and with third parties. The privacy program should include: individuals
or organizational structures responsible for the creation, oversight and maintenance of the program; privacy data inventories and flows; privacy policies or procedures
that address notice, choice and consent for client-scoped data; the management of client scoped privacy data through its life cycle of collection, storage, usage,
processing, sharing, transferring, securing, retention and destruction; third party agreements for meeting their commitments under the organization’s business
requirements, applicable privacy laws, policies, processes, technologies, policy and industry leading practices; and applicable authorizations, monitoring, and
enforcement mechanisms that address inquiries, disputes, or complaints.
P.1 Privacy Program Management
Objective:
An organization should understand the scope of the client scoped privacy data inventory and flows to understand what privacy regulations are triggered based on data
classification. An organization should maintain an inventory of client-scoped privacy data that should, at a minimum, define client-scoped privacy data by data category
or data classification based on the data inventory, assign ownership for management of client-scoped privacy data and document the flow of client-scoped privacy
data throughout the data life cycle of collection, storage, usage processing, sharing, retention and retirement though the organization. The inventory and flows should
include all client-scoped privacy data that is provided to, or shared with, any of the organization’s affiliates, subcontractors or other third parties including any cross-
border data flows.
Attribute Attribute or Document Present
(Yes, No, or N/A)
Confirm scope of specific privacy regulatory jurisdictions that are applicable to the client scoped
data and the services in scope for the assessment.
Obtain from the organization a copy of its client-scoped privacy data inventory, the inventory/data flow and
a copy of the privacy policy, data classification policy and procedures for jurisdictions determined to be in
scope.
Obtain from the organization a list of current third parties that access scoped privacy data, and randomly
select a sample of five from the third party list.
For the third parties identified in the above sample set, obtain from the organization, a copy of the privacy
data inventory, the inventory flow and a copy of the privacy policy, privacy notices, related approvals and
procedures for jurisdictions determined to be in scope.
© 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved.
GDPR: Data Processor Privacy Tool Kit - Version 1.0: Appendix - 2018 SCA Privacy Report Template 7 of 19
Attribute Attribute or Document Present
(Yes, No, or N/A)
For the organization, and each third party in the sample chosen, inspect the privacy inventory flow
documents obtained above for evidence of the following attributes:
Security Classification for each data subject category
Privacy inventory and data flow for each jurisdiction or group of jurisdictions
Privacy inventory flow for sources/origin (including detailing from whom [entity], from where collected
[country]) and how collected [electronic, paper], specifically including countries with privacy laws that
transcend the borders of their country or region (e.g., EU/EEA, Canada, China, AR, AU, NZ, HK, JP and
other onward transfer requirements or cross border data access for privacy of scoped privacy data, such as
Privacy Shield, APEC or various seal programs).
Scoped privacy data owner and scoped privacy data controller, if applicable
Location (entity and country) for storage
Retention and destruction schedules
Purpose(s) for collection and use
List of who (role and location [entity and country]) uses scoped privacy data for what purposes
List of who (role and location [entity and country]) receives scoped data
Comments:
P.2 Privacy Organization & Program Maintenance
Objective:
An outsourcing organization should ensure that the service provider and its applicable third parties each have a designated privacy function responsibility assigned for
its privacy policy and privacy program as it relates to client-scoped privacy data. The privacy program should contain enforcement and monitoring procedures and a
change management procedure to remain current with privacy changes in business requirements, applicable privacy law, policy and industry best practices.
Attribute Attribute or Document Present
(Yes, No, or N/A)
Using the sample of third parties from the list obtained in P.1 Privacy Program Management,
obtain from the organization and from the selected third parties (for outside parties seek this
© 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved.
GDPR: Data Processor Privacy Tool Kit - Version 1.0: Appendix - 2018 SCA Privacy Report Template 8 of 19
Attribute Attribute or Document Present
(Yes, No, or N/A)
information through the organization being assessed) a copy of the current, approved
organization chart and procedures for privacy function responsibilities the most recent reviews,
due diligence, compliance and enforcement events, audits, external assurance reports (e.g. ISO,
SCA, PCI, SOC, HiTrust etc. ) security program audits, remediation plans and changes
implemented during the past 12 months and any privacy regulator findings or court ruling(s)
concerning scoped privacy data, each confirmed by third parties as current and complete.
For each third party in the sample chosen, inspect the documents to confirm the organization and third
parties have documents regarding their responsibilities for managing their privacy program and supporting
the privacy programs of their clients by looking for evidence of the following attributes:
An individual or function is responsible for privacy
Due diligence procedures for third parties regarding compliance with applicable privacy law prior to
contracting with a third party
Evidence of review of company-scoped privacy data practices for compliance with privacy program and
enforcement procedures for non-compliance
Confirmation of the organization having conducted assessments or received external audit reports of third
parties accessing scoped privacy data
Security program audits or assessments
Confirm that organization procedures are in place specific to unique privacy jurisdiction obligations based
on services provided and data classification
Confirm that organization and respective third parties contract provisions are in place that are specific to
the privacy jurisdiction obligations based on services provided (e.g. GLBA Data Safeguarding provisions,
FACTA Disposal Rules, Business Associate Agreement, Standard Model Clauses, etc.)
For the organization and each third party in the sample chosen, report the attributes listed above that are
not present
If the organization reports that certain attributes listed above that are not applicable, report those attributes as exceptions.
Comments:
© 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved.
GDPR: Data Processor Privacy Tool Kit - Version 1.0: Appendix - 2018 SCA Privacy Report Template 9 of 19
P.3 Privacy Awareness
Objective:
An organization and its third parties should ensure recurring privacy awareness training occurs for their employees and contractors and that participation records are
maintained. This ensures employees and contractors are aware of key information privacy requirements and their obligations to maintain the privacy of client-scoped
privacy data.
Attribute Attribute or Document Present
(Yes, No, or N/A)
Using the sample from the third party list obtained in P.1 Privacy Program Management, obtain
from the organization and the selected third parties, via the organization, a current list or
description of the employees and contractors who access the scoped privacy data; a description
of the privacy awareness training for the past year for these employees and contractors; and for
each sample item, the most recent physical or electronic record evidencing participation of the
applicable privacy awareness training.
For each item in the sample, inspect the privacy awareness training materials and participation records or
evidence (as appropriate) for the following attributes:
Confirmation in the participation record that the employee has received privacy awareness training within
the last year
Privacy information classification and control guidelines including rules for information collection, use,
transmission, retention and destruction
Information on legal, regulatory and contractual responsibilities for privacy
Employee and contractor comprehension testing of privacy awareness program
Information on consequences (including penalties) for violations of applicable privacy law, contractual
obligations or company policy
Information on email and Internet usage guidelines regarding privacy and monitoring
Onboarding privacy training for all employees
Records maintained that document participation in training to target metrics and dates
For each item in the sample, report as a finding:
The number of organization employees and contractors and the number of third parties’ employees and
contractors sampled
The number of organization employees and contractors and the number of third parties’ employees and
contractors sampled where evidence of privacy training is greater than the previous year’s where evidence
of privacy training does not exist
© 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved.
GDPR: Data Processor Privacy Tool Kit - Version 1.0: Appendix - 2018 SCA Privacy Report Template 10 of 19
Attribute Attribute or Document Present
(Yes, No, or N/A)
Comments:
P.4 Privacy Risk Assessments
Objective:
An organization should maintain a privacy risk assessment process that is in accordance with its legal, regulatory and contractual obligations to provide privacy
protection for client-scoped privacy data. It should demonstrate support for, and commitment to, identifying privacy risks and associated mitigation, including
management reporting. It should, where required, maintain procedures to assess privacy impact and embed privacy requirements based on changes in applicable
law, new systems, applications or devices.
Attribute Attribute or Document Present
(Yes, No, or N/A)
Obtain the following records:
The most recent privacy risk assessments, remediation plans and changes implemented regarding privacy
during the past 12 months
The records that identify privacy risk and mitigation plans
Records of any privacy regulator findings
Court ruling(s) concerning scoped privacy data within the last 12 months
Inspect the records for evidence of the following attributes:
Changes to the privacy risk assessment for changes to the risk assessment documents based on due
diligence, review, compliance and enforcement procedures, onsite audits, security program audits during
the past 12 months
Management review and approval
Review to incorporate any privacy regulatory findings
Review to incorporate any court rulings concerning scoped privacy data within the last 12 months
Comments:
P.5 Privacy Notice, Choice & Consent
Objective:
An organization should provide management policy, direction and support for information privacy in accordance with its legal, regulatory and contractual obligations to
provide privacy protection for client-scoped privacy data. It should demonstrate support for, and commitment to, information privacy through the issuance, acceptance
© 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved.
GDPR: Data Processor Privacy Tool Kit - Version 1.0: Appendix - 2018 SCA Privacy Report Template 11 of 19
and maintenance of internal privacy policies across the organization. It should, where required, communicate that commitment to data subjects or individuals via
external privacy notices and where applicable, gain their consent and seek their consent for certain uses of scoped privacy data (e.g., protected privacy data). It
should ensure that third parties’ privacy policies and privacy notices are consistent with the organization’s privacy policies and privacy notices. The privacy policies and
privacy notices should incorporate the key areas of privacy and should be reviewed at planned intervals (at least annually), or if significant changes occur, to ensure
continuing suitability, adequacy and effectiveness.
Attribute Attribute or Document Present
(Yes, No, or N/A)
Obtain from the organization a copy of their Obtain from the organization a copy of their master
services agreement with the outsourcer and their most current vendor contract and
applicable privacy policy or procedures, and privacy notices. Using the sample of third parties
from the list obtained in P.1 Privacy Program Management, obtain a copy of their current contract
and supporting documents.
Inspect the privacy policies or procedures for a revision history and documentation that the policy has
been approved by management within the last 12 months
Report if the privacy policies contain a date of the last management approval and last periodic review. xx/xx/xx
Inspect the copies of the contract obtained, and identify contract limitations/restrictions regarding privacy.
Once identified, inspect the privacy policies and privacy notices (where applicable) for alignment with
those requirements.
Inspect the privacy notices for evidence of the following attributes
Direct reference to scope of applicable privacy jurisdiction or privacy domains based on industry
frameworks
Categories of personal information and scoped privacy data collected and the purposes (or restrictions) for
which this information is used
Categories of protected, scoped privacy data and requirements to protect this information
Categories of affiliates and other third parties to whom the organization discloses scoped privacy data
Notice of cross-border transfer or access of scoped privacy data (when applicable) with a requirement to
comply with applicable privacy laws on cross-border transfers
Security section that states the commitment to protect personal information and scoped privacy data
Data subject access and corrections section that informs the individuals on how to gain access to scoped
privacy data for review, correction and/or deletion
Data subject contact section for questions and complaints
© 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved.
GDPR: Data Processor Privacy Tool Kit - Version 1.0: Appendix - 2018 SCA Privacy Report Template 12 of 19
Attribute Attribute or Document Present
(Yes, No, or N/A)
Disclosure regarding the collection of personal information of children
Reference to the law of the jurisdiction, where data is transferred between jurisdictions
Changes to privacy notice (if any) including Effective date
Reference to any applicable data portability processes or procedures for data destruction upon individual
request
Web technology used (e.g. pixels, cookies, web beacons) including description(s), Explanation of how
these technologies are used, including an explanation of any choices the site user has over their use (e.g.,
opt-out mechanism for online behavioral advertising)
A “consent to the privacy notice” section, which varies from jurisdiction to jurisdiction
Choices regarding receipt of marketing/promotional communications
For the organization, and each third party in the sample chosen, report the attributes listed above that are
not present.
If the organization reports that certain attributes listed above are not applicable, report those attributes as
exceptions.
Comments:
P.6 Web Site Compliance
Objective:
An organization with Internet-facing website(s) that provides access to scoped data should have a website privacy policy developed, published and communicated to
all users who have access to scoped data from that website.
Attribute Attribute or Document Present
(Yes, No, or N/A)
Obtain from the organization documentation for website setup and security. Using the sampling
parameters in the introduction to the Privacy section, select a sample of Internet-facing, publicly-
accessible, end-user websites where scoped data is accessible from an inventory of target
systems. For each item, access each selected website via a web browser.
Inspect the sample item upon access for evidence that a link to the privacy policy exists
© 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved.
GDPR: Data Processor Privacy Tool Kit - Version 1.0: Appendix - 2018 SCA Privacy Report Template 13 of 19
Attribute Attribute or Document Present
(Yes, No, or N/A)
Report the number of websites sampled
Report the sites that do not provide a link to the privacy policy and the number of websites that do not
have a privacy statement
Comments:
P.7 Management of Client-Scoped Privacy Data
Objective:
An organization should ensure that collection, storage, use, access, sharing, transport, retention and deletion of client-scoped privacy data is in accordance with
privacy applicable law, privacy policy, privacy notices and industry standard practices and is represented in their documented procedures and that these procedures
are maintained.
Attribute Attribute or Document Present
(Yes, No, or N/A)
Using the sample from the third party list obtained in P.1 Privacy Program Management obtain
from the organization and the selected third parties, via the organization, a copy of the current
approved privacy procedures.
Using the privacy policy and privacy notices and procedures obtained from organization in P.2 Privacy
Notice, Choice and Consent, inspect the written privacy procedures for evidence the following attributes:
Procedures for delivery collection, storage, use, access and sharing of privacy notices, consents and
permissions
Procedures for collection, storage, use, access, sharing, transport, retention and deletion of client-scoped
privacy data
Procedures that define client-scoped privacy data is only collected, stored and used for the purposes for
which it was collected
Access to client-scoped privacy data by organization employees, third parties and any other individuals is
on a need-to-know basis only
If applicable, the conduct of background, criminal, health or various types of screening of individuals who
have access to client-scoped privacy data (including credit, drug, medical or psychological tests)
Procedures to mask, anonymize or de-personalize client scoped data 7. Procedures that define
organization employees and third party employee obligations to take special care and safeguard
protected, client-scoped privacy data at a higher level based on privacy jurisdiction
© 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved.
GDPR: Data Processor Privacy Tool Kit - Version 1.0: Appendix - 2018 SCA Privacy Report Template 14 of 19
Attribute Attribute or Document Present
(Yes, No, or N/A)
Procedures that define compliance with applicable privacy law for retention of client-scoped privacy data
Procedures for the secure deletion or removal of scoped privacy data according to the security policy
and/or contractual obligation
Procedures for managing compliance with applicable privacy laws or policies that are in conflict from a
retention and deletion perspective (e.g., pending request of discovery of documents in litigation vs.
document deletion regulation of client-scoped privacy data)
If applicable, procedures for handling client-scoped privacy data outside of the country in which it was
collected, including appropriate safeguards for compliance with applicable privacy law, such as cross-
border transfers (including permitting access to or viewing) of scoped privacy data and countries where
transfer of certain scoped privacy data is prohibited
Procedures to deliver instructions for organization employees and third parties on sharing and cross-
border transfers of client-scoped privacy data
Procedures for sharing client-scoped privacy data with affiliates for their use
Procedures to maintain accuracy and currency of client-scoped privacy data
Evidence of approval, including the most recent approver’s title and date of approval
Date of last review xx/xx/xx
Revision history
Procedures to limit viewing by customers of their own data
Procedures to identify, capture, preserve and transfer scoped data, in the event of a legal preservation
request, without impacting other scoped data
Procedures that address the quality and accuracy of personal information
For each item in the sample, report:
The total number of service providers and third parties with access to client-scoped privacy data
The number third parties sampled and the details of service provider and third parties sampled where the
privacy procedures do not address the attributes listed above
Approver’s title and date of approval xx/xx/xx
Date of last review xx/xx/xx
Existence or nonexistence of a revision history by the organization and third party
Comments:
© 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved.
GDPR: Data Processor Privacy Tool Kit - Version 1.0: Appendix - 2018 SCA Privacy Report Template 15 of 19
P.8 Data Protection, Privacy Incident Notification and Response Management
Objective:
An organization should establish a formal privacy incident communication procedure, integrated with the security incident response and escalation procedures, to be
executed in the event of unauthorized disclosure or breach or other required privacy communication requirement to data subjects or other entities, including applicable
law enforcement and governmental agencies. An organization should establish procedures for notification by third parties that access, process or store client-scoped
privacy data. These procedures should include the documentation of a post-incident report which documents the unauthorized disclosure, breach, lessons learned and
a summary of events related to the incident.
Attribute Attribute or Document Present
(Yes, No, or N/A)
Obtain from the organization its privacy incident response plan, and inspect the plan for evidence
of the following attributes:
Process for assessing the data subject category or data classification based on applicable privacy law
Inspect the privacy incident notification section of the organization’s privacy incident response plan for
evidence of the following attributes:
Incident notification communication plan and samples
Escalation procedures
Law enforcement, industry (such as card brands, in the case of credit card loss) and regulatory agencies
(such as federal, state, data privacy authorities, etc.) to contact
Third party breach procedures
Roles and responsibilities are documented
Obtain from the organization a sample of the last incident response report or evidence of privacy
incident response logging/reporting, and inspect the sample report for evidence of the incident
being summarized and lessons learned identified and documented.
Using the sampling parameters in Section Y, select a sample of third parties from the list obtained in
Privacy Program Management, Obtain from the organization and the selected third parties, via the
organization, the privacy and security event communication procedures. For each item in the sample,
inspect the document(s) obtained above for evidence of the following attributes:
Privacy communications team, security incident response procedure and escalation procedures, in each
case, with defined roles and responsibilities
Procedures for notifying and supporting subsequent follow up for data subjects, third parties, service
provider, organizations or government regulatory bodies, the media; in each case, in accordance with an
applicable agreement, privacy law or security law
Requirement to meet appropriate deadlines required by privacy applicable law or security applicable law
© 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved.
GDPR: Data Processor Privacy Tool Kit - Version 1.0: Appendix - 2018 SCA Privacy Report Template 16 of 19
Attribute Attribute or Document Present
(Yes, No, or N/A)
The third party’s privacy and security event communications procedures contain the requirements
specified in the service provider’s privacy and security event communications procedures
Procedures for handling privacy-related complaints, including notification or escalation to client
Comments:
P.9 Third Party Privacy Agreements
Objective:
All entities that access, process or store client-scoped privacy data can be a risk to an organization or its clients. Management should ensure that all agreements with
third parties contain specific clauses to ensure scoped privacy data is protected and that certain other privacy requirements are included.
Attribute Attribute or Document Present
(Yes, No, or N/A)
Using the sample of third parties from the list obtained in P.1 Privacy Program Management obtain
from the organization and selected third parties, via the organization, the privacy and security
portions of the agreement with the organization in place for providing services and a
representative sample of third party privacy and security sections of the agreements from each
third party.
Inspect each agreement chosen in the sample for evidence of the following attributes:
Third party requirement to protect all scoped privacy data and protected scoped privacy data
Third party requirement to document the flow of scoped privacy data within its organization and to those
third parties with whom it shares scoped privacy data
Third party requirement to process scoped privacy data in accordance with the agreement
Third party requirement to collect only the minimum scoped privacy data necessary to achieve the
purposes for which it is collected
Third party requirement to collect scoped privacy data by legal means only
Third party requirement to implement policies, procedures and safeguards consistent with the agreement’s
specified privacy requirements, applicable privacy law, policy and industry best practices when managing
scoped privacy data
Third party requirement to notify organization of potential event affecting scoped privacy data
Third party requirement to notify organization if a data subject requests access, correction or deletion of
his/her scoped privacy data, or asks a question or makes a complaint
© 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved.
GDPR: Data Processor Privacy Tool Kit - Version 1.0: Appendix - 2018 SCA Privacy Report Template 17 of 19
Attribute Attribute or Document Present
(Yes, No, or N/A)
Third party requirement to comply with applicable privacy law, including countries with privacy laws that
transcend the borders of their country or region (e.g., EU/EEA, by entering into the model clauses for
international data transfers, Canadian, China, AR, AU, NZ, HK, JP and other onward transfer
requirements for privacy of scoped privacy data, such as APEC or various seal programs)
Retain or delete scoped privacy data according to a schedule
Retain scoped privacy data within certain country/region boundaries
Protect organization employee-scoped privacy data
Contractually pass on “at least as stringent” privacy obligations under this agreement to any third parties
that access or handle in any way the scoped privacy data and all further levels/chains of third parties
Prohibition on the sale of scoped privacy data, where required
For the organization, and each third party in the sample chosen, report the attributes listed above that are
not present
Comments:
P.10 Authorizations, Monitoring & Enforcement
Objective:
An organization and its third parties that access, process or store client-scoped privacy data should have completed the applicable notifications, registrations, permits,
approvals and/or adequacy derogations as required by applicable privacy law and have implemented enforcement and monitoring procedures that address privacy
incidents, complaints or disputes based on its privacy obligations.
Attribute Attribute or Document Present
(Yes, No, or N/A)
Obtain from the organization the legal authorizations for privacy-related data collected and stored
by the company.
Obtain artifacts of records of legal authorizations and any related documentation required under applicable
privacy law and their privacy inventory flow. This includes registrations and permits from authorities in
each jurisdiction receiving scoped privacy data identified in the privacy inventory flow, required by
applicable privacy law, privacy notices for each applicable jurisdiction and the adequacy of mechanisms,
such as individual consents, Privacy Shield filings, model contracts, binding corporate rules, and/or other
derogations. This may also include due diligence of the privacy function, compliance and enforcement
events, external security program audits, change management procedures, remediation plans and
© 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved.
GDPR: Data Processor Privacy Tool Kit - Version 1.0: Appendix - 2018 SCA Privacy Report Template 18 of 19
Attribute Attribute or Document Present
(Yes, No, or N/A)
changes implemented during the past 12 months and any privacy regulator finding(s) or court ruling(s)
concerning scoped privacy data.
Inspect documentation for the following attributes:
Notifications, registrations, permits and approvals and adequacy mechanisms Privacy Shield, binding
corporate rules and any approval required by data protection authorities
Mandated reviews and/or approvals of privacy material required under applicable privacy laws
Outstanding requests from data protection authorities or any other entity that regulates scoped privacy
data
Outstanding remedial steps for any disputes or legal authorizations not granted by any data protection
authority or any other entity that regulates scoped privacy data
List of legal authorizations, permits or registrations required
Completed authorization documentation that documents purpose for each applicable legal authorization
Privacy Shield or data protection authority related filings and related compliance documentation
Privacy data flows including cross-border transfers
Documentation on handling of privacy complaints and dispute resolution processes
Using the sample of third parties from the list obtained in P.1 Privacy Program Management,
obtain from the organization and the selected third parties, via the organization, artifacts and
records of legal authorizations, permits, registrations, and any related documentation required
under applicable privacy law and their privacy inventory flow. This would also include due
diligence of the privacy function, compliance and enforcement events, external security program
audits, change management procedures, remediation plans, changes implemented during the past
12 months and any privacy regulator finding(s) or court ruling(s) concerning scoped privacy data.
For each item in the sample, inspect for the following attributes:
Notifications, registrations, permits and approvals and adequacy mechanisms (such as EU model clauses,
Safe Harbor, binding corporate rules and any approval required by data protection authorities)
Mandated reviews and/or approvals of privacy material required under applicable privacy laws
Outstanding requests from data protection authorities or any other entity that regulates scoped privacy
data
© 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved.
GDPR: Data Processor Privacy Tool Kit - Version 1.0: Appendix - 2018 SCA Privacy Report Template 19 of 19
Attribute Attribute or Document Present
(Yes, No, or N/A)
Outstanding remedial steps for any disputes or legal authorizations not granted by any data protection
authority or any other entity that regulates scoped privacy data
For each item in the sample, report the organization and third parties with access to scoped privacy data
who do not have documentation of the approvals required by the data protection authorities and mandated
reviews required under applicable privacy laws.
For each item in the sample, report records of outstanding requests from data protection authorities or any
other entity that regulates scoped privacy data and records from outstanding remedial steps for any
disputes or legal authorizations not granted by any data protection authority or any other entity that
regulates scoped privacy data
Comments:
The Shared Assessments Program has been setting the standard in third party risk assessments since 2005. Shared Assessments, the trusted source in third party risk assurance, is a member-driven, industry-standard body with tools and best practices, that injects speed, consistency, efficiency and cost savings into the control assessment process. Shared Assessments Program members work together to build and disseminate best practices, building resources that give all third party risk management stakeholders a faster, more rigorous, more efficient and less costly means of conducting security, privacy and business resiliency control assessments.
P: (505) 466-6434 F: (505) 466-3111E: [email protected]
© 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved.